On Fri, Jun 19, 2015 at 08:15:01PM +0200, Patrick McHardy wrote:
[...]
> >OK, so that transformation would look like:
> >
> >1) Fetch the existing elements in the set via netlink.
> >2) Handle merges with the elements that the user has passed through
> > command line.
> >3) Build the segtree.
> >4) Push it into the kernel. We need to mark all existing elements for
> > the deletion plus add the new elements, all that in one single
> > transaction.
> >
> >Is this your idea? So it looks like we need a bit more userspace code.
> >
> >With the existing approach, the kernel rejects overlapping segments
> >with -EEXIST, so if the user is careful to avoid them there should be
> >no problem. It's more restrictive than what the logic above, but set
> >declarations with intervals will work until that code lands in the
> >tree.
>
> Sorry, missed this part. Are you sure about that? I'm pretty sure we
> only reject exact duplicates. Otherwise I'd agree, that would be
> fine for now.
Yes, overlapping segments are rejected:
# nft add element test myset { 1.2.3.0/24 }
# nft add element test myset { 1.2.3.1 }
<cmdline>:1:1-34: Error: Could not process rule: File exists
add element test myset { 1.2.3.1 }
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
# nft add element test myset { 1.2.3.0 }
<cmdline>:1:1-34: Error: Could not process rule: File exists
add element test myset { 1.2.3.0 }
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
# nft add element test myset { 1.2.3.255 }
<cmdline>:1:1-36: Error: Could not process rule: File exists
add element test myset { 1.2.3.255 }
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
# nft add element test myset { 1.2.3.30-1.2.4.30 }
<cmdline>:1:1-44: Error: Could not process rule: File exists
add element test myset { 1.2.3.30-1.2.4.30 }
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
I'll send a v2 of this patch to replace the netlink_get_set() call so
this also works for set declarations in one single transaction.
Thanks.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
